Clearly three passes was specified at that time. Actually the argument could be made for four passes, since there is the vague requirement to “verify”. Does that mean verify every block on the drive? One block? The official specification doesn’t make this very clear.

But that lack of clarity doesn’t matter now because in 2012 the specification was changed to this –

2012 – If neither of the first two options is supported, use the native read and write interface to write least a single pass with a fixed data value, such as all zeros. Multiple passes or more complex values may alternatively be used.

Appendix A of this document has all the details – here is a repeat from that appendix –

SCSI Hard Drives This includes SCSI, SAS, Fibre Channel, etc. Clear: Overwrite media by using organizationally approved and validated overwriting technologies/methods/tools. The Clear pattern should be at least a single pass with a fixed data value, such as all zeros. Multiple passes or more complex values may alternatively be used.

The new specification document describes the newer purge methods such as the SANITIZE and CRYPTO ERASE commands, but this article is mainly about the question of “how many passes does the DoD 5220 spec require” – and the answer to that is “one pass”. You can do more passes if you like, but one pass will meet the DoD requirement.

Note: all current purge commands such as the SANITIZE and CRTYPTO commands are supported by the STB Suite. In the next STB Suite release an option to specify either a “1-pass DoD” or a “3-Pass DoD” purge will be supported.